commit 04bff88df6211f64731bf8f5afa088e94496db16
author Bram Moolenaar <Bram@vim.org> Tue Jan 05 20:46:16 2016 +0100
committer Bram Moolenaar <Bram@vim.org> Tue Jan 05 20:46:16 2016 +0100
tree 01637b64a54694cc1fc8296fc938f694dd07ee8d
parent af8af8bfac5792fa64efbc524032d568cc7754f7

patch 7.4.1052
Problem:    Illegal memory access with weird syntax command. (Dominique Pelle)
Solution:   Check for column past end of line.

src/syntax.c

diff --git a/src/syntax.c b/src/syntax.c
index ae3a88a..937fbf1 100644
--- a/src/syntax.c
+++ b/src/syntax.c
@@ -3022,6 +3022,8 @@
 	    if (r && regmatch.startpos[0].col
 					     <= best_regmatch.startpos[0].col)
 	    {
+		int line_len;
+
 		/* Add offset to skip pattern match */
 		syn_add_end_off(&pos, &regmatch, spp_skip, SPO_ME_OFF, 1);
 
@@ -3031,6 +3033,7 @@
 		    break;
 
 		line = ml_get_buf(syn_buf, startpos->lnum, FALSE);
+		line_len = (int)STRLEN(line);
 
 		/* take care of an empty match or negative offset */
 		if (pos.col <= matchcol)
@@ -3040,12 +3043,12 @@
 		else
 		    /* Be careful not to jump over the NUL at the end-of-line */
 		    for (matchcol = regmatch.endpos[0].col;
-			    line[matchcol] != NUL && matchcol < pos.col;
+			    matchcol < line_len && matchcol < pos.col;
 								   ++matchcol)
 			;
 
 		/* if the skip pattern includes end-of-line, break here */
-		if (line[matchcol] == NUL)
+		if (matchcol >= line_len)
 		    break;
 
 		continue;	    /* start with first end pattern again */